How applications run without using PATH variable

Ever wondered how some applications, for example Winword, Excel, Outlook, start automatically when called from 'Run' window without providing their complete path even though the system PATH variable doesn't have these applications' locations? The answer is in this registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\

So the next time any of the applications do not start without the complete path but you are sure that it exists on the system, check that the registry should have the right information.

Thanks to Mohit Sharma for discovering this info! :)

Strange Errors in Excel

Came across a very strange error message in Excel 2003 - "Your entry cannot be used. An integer or decimal number may be required" This message appeared whenever I tried changing font size in a cell/sheet or when tried moving from one tab to any other tab in Options window.

Eventually, it turned out that this issue was the result of missing Decimal symbol in Regional Settings. As soon the decimal symbol (.) was restored, this issue was resolved.

Feedburner integrated with Blogger.com feeds

Feedburner now offers feeds integration for Blogger.com blogs. Gone are the days when one had to fiddle with the blogger template to replace blogger's default feed source with feedburner's feed link! Just go to the template page now and enter you feedburner feed source. Mind you, this configuration will not replace your default blooger feed source; it'll only redirect that link to feedburner's feed link. Also note that, apparently this configuration redirects only Atom feeds, and not RSS feeds.

This is just the begining of the services users will start to get with feedburner's acquisition by Google. Like, few days ago, feedburner announced two of its previously PRO (paid) services as freely available now - FeedBurner Stats PRO & MyBrand.

Active Directory Explorer v1.0 by Sysinternals

Sysinternals released a new tool for Active Diretory administrators called Active Directory Explorer v1.0

Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.

AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorer's comparison functionality to see what objects, attributes and security permissions changed between them.

Download page: http://www.microsoft.com/technet/sysinternals/utilities/adexplorer.mspx

VBScript: Function Code to Convert Bytes to KB/MB/GB/TB

When querying for disk space sizes using WMI, it returns the numbers in bytes. These large numbers in bytes do not make much sense until they are converted into Kilobytes (KB), Megabyte (MB), Gigabyte (GB), or Terabyte (TB) and so on. Quite frequently I need to convert these sizes in bytes to KB/MB/GB/TB for better interpretation. I therefore created a quick VBScript function which I call inside VBScript code whenever I need to convert numbers in bytes to KB/MB/GB/TB.

Function ConvertSize(Size)
Do While InStr(Size,",") 'Remove commas from size
    CommaLocate = InStr(Size,",")
    Size = Mid(Size,1,CommaLocate - 1) & _
        Mid(Size,CommaLocate + 1,Len(Size) - CommaLocate)
Loop

Suffix = " Bytes"
If Size >= 1024 Then suffix = " KB"
If Size >= 1048576 Then suffix = " MB"
If Size >= 1073741824 Then suffix = " GB"
If Size >= 1099511627776 Then suffix = " TB"

Select Case Suffix
    Case " KB" Size = Round(Size / 1024, 1)
    Case " MB" Size = Round(Size / 1048576, 1)
    Case " GB" Size = Round(Size / 1073741824, 1)
    Case " TB" Size = Round(Size / 1099511627776, 1)
End Select

ConvertSize = Size & Suffix
End Function

How To Uninstall RDP 6.0

I have been seeing couple of queries in few tech forums for uninstalling Remote Desktop Connection (RDP) 6.0, or how to revert to original version of XP SP2 RDP client (mstsc.exe version 5.1.2600.2180).

RDP 6.0 was released as a patch (KB925876), therefore, by default it doesn't appears as a seperate entry in Add/Remove list. To uninstall it, you'll have to click on the check box of "Show updates" in Add/Remove window, select "Update for Windows XP (KB925876)", and remove it.

Alternatively, you can also browse to the folder C:\WINDOWS\$NtUninstallKB925876$\spuninst\ and run spuninst.exe from there, which will uninstall RDP 6.0 client and revert to the older version.

IE Search Shortcuts

TweakUI has a nice handy feature of creating Internet Explorer search shortcuts. So, instead of opening www.google.com first and then typing the search string, TweakUI lets you assign a search prefix (e.g. “g”) to Google’s search URL. You can then type “g searchstring” directly in IE’s address bar to search for “searchstring” using Google search. For example, Google’s search URL for the search string “ipod” is http://www.google.com/search?hl=en&q=ipod. To create a shortcut for this search URL, copy-paste it in TweakUI window and replace the search string “ipod” with “%s” (http://www.google.com/search?hl=en&q=%s).

You can create search shortcuts not only for Search engines, but for any site which offers search functionality by observing their search URLs in the address bar. Below are some of the search shortcuts that I use for some common sites.

Shortcut	Search URL	What for?
a	http://www.answers.com/topic/%s	Answers.com
c	http://support.citrix.com/article/%s	Citrix Support Articles
d	http://www.dnsstuff.com/tools/whois.ch?ip=%s	WHOIS lookup on dnsstuff.com
e	http://eventid.net/display.asp?eventid=%s	Lookup info on Windows Event IDs
f	http://filext.com/detaillist.php?extdetail=%s	Lookup details of any file extension
g	http://www.google.com/search?hl=en&q=%s	Google search
kb	http://support.microsoft.com/default.aspx?scid=kb;en-us;%s	Microsoft KB support articles
p	http://www.processlibrary.com/directory?files=%s	Lookup executable/DLLs details
r	http://dictionary.reference.com/search?q=%s	Word meaning references
t	http://www.rottentomatoes.com/search/full_search.php?search=%s	Rottentomatoes.com
w	http://en.wikipedia.org/wiki/Special:Search?search=%s	Wikipedia search

After you have created these shortcuts, you can export the relevant registry key as a backup or to import that to any other computer. These shortcuts are located at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL. Export this key into a .REG file and import it on any other computer. These shortcuts work with IE7 as well.

Here is the .REG file with above shortcuts. If you are geeky enough, you can add/modify entries in your registry even without TweakUI!

A Quick Workaround for error "Failed to Launch. The Server returned CharlotteAppHostUnreachable"

Sometimes Citrix application when launched via Program Neighborhood Agaent (PNAgent) shows the error message - Failed to Launch. The Server returned CharlotteAppHostUnreachable. The issue apparently is related to Zone Data Collector (ZDC), though I haven’t been able to find the reason accurately.

Usually server restart resolves the issue. If not, then to avoid downtime for the application, a quick workaround is to create an .ICA file for the application and provide that to users. Directly accessing the remote application via .ICA file would work even if the application shows that error message when launched via PNAgent. This way you can continue to troubleshoot the issue without impacting application users!

Reference: https://support.citrix.com/article/CTX106828&parentCategoryID=274

How To Disable Credentials Prompt of RDP 6.0

Remote Desktop Connection client 6.0 introduces new authentication features to improve security for Windows Vista and Windows Longhorn Server, which makes it mandatory for the user to enter logon credentials before RDP client can establish connection to the remote server (" Enter your credentials for <server>. These credentials will be used when you connect to the remote computer" ). But if the remote machine is configured to show logon warning message or if the remote system happens to be Windows 2000 or XP, you’ll need to enter the credentials again at remote machine’s logon screen.

There is however a workaround to skip the credentials screen that RDP 6.0 client shows by choosing “Do not attempt authentication” under Authentication options on the Advanced tab, but this option is not set permanently. To permanently skip the additional credential screen of RDP 6.0 client, edit the Default.RDP file in notepad to include enablecredsspsupport:i:0 . The Default.RDP is located in each user’s My Documents folder. Including enablecredsspsupport:i:0 disables the Credentials Security Service Provider for the connection. If you use separate .RDP files for different server, modify each of those .RDP files. Below is the content section of the default.rdp file with enablecredsspsupport:i:0 option included.

redirectposdevices:i:0
authentication level:i:0
enablecredsspsupport:i:0
prompt for credentials:i:0
negotiate security layer:i:1

Note that this workaround is suggested only if you connect Windows 2000/2003/XP systems because according to Terminal Services Team blog post – “This option does disable the new credential prompting behavior, but it also disables support for Network Level Authentication for Vista (and Longhorn Server) RDP connections; Network Level Authentication requires credentials to be provided by the client before a session is created on the server side.” So if you do connect to Vista/Longhorn over RDP, you’ll not be able to use this option.

References: http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx

How To Disable Outlook Security Warning - "A program is trying to access e-mail addresses..."

When any software tries to access Outlook Address Book programmatically by using Outlook libraries, the system shows the security warning message –

A program is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this?
If this is unexpected, it may be virus and you should choose “No”.

According to KB329765 – “This behavior occurs because there is no running session of Outlook to determine the correct security profile to load. Therefore, the default security profile is used, causing the security prompt. When you programmatically access an item in the Address Book, a session must be running to determine the correct security profile to load. When Microsoft Outlook is not running, the security dialog prompts the user because the default security profile is used.”

Although offered as a security feature, this prompt can be very annoying if the application frequently needs to access the address book or to send mails.

The workaround is to disable this security prompt by setting/creating a REG_DWORD registry entry CheckAdminSettings = 1 located at HKEY_CURRENT_USER\Software\Policies\Microsoft\Security

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Security] "CheckAdminSettings"=dword:00000001

The table below shows other applicable values for CheckAdminSettings.

Value	What Oulook Does
Key not present	Uses its default settings
0	Uses its default settings
1	Looks for settings in the Outlook Security Settings folder, applying them according to the defaults and specific users you've specified.
2	For Outlook 2002 and Outlook 2003 only: Looks for settings in the Oulook 10 Security Settings folder, ignoring any settings in the Outlook Security Settings folder. Use this value when you want Outlook 2002/2003 to use different settings
Anything else	Uses its default settings

This setting applies in current user hive only. Therefore, to apply it by default to all users, make the same entry in Default User hive (HKEY_USERS\.DEFAULT). This NTUSER.DAT file can then be copied to other systems as well where the Outlook security warning needs to be disabled. Of course, it goes without saying that this setting can also be exploited by viruses. Also note that CheckAdminSettings registry change works only with Exchange Server.

References: http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci963544,00.html

Thanks to my manager for sharing this info!

VBScript: Execute process remotely with WMI

For our terminal/citrix servers we have to regularly run delprof command for deleting inactive user profiles to minimize disk space consumption. The annoying part is to login into each of the servers just to run this command. Even though delprof supports deleting profiles on remote servers with the switch /C:\\<computername>, but that runs terribly slow over WAN links.

A workaround is to remotely execute delprof (or for that matter any other command) on the remote server by using tools like PsExec which installs a temporary service on the remote machine to be able to execute process remotely, and unintalls the same service after the process finishes. Because of its dependency on installing a service, PsExec might not always be a viable option in production environment. So, what's an alternative now?

Enter WMI.

It offers the capability to execute process remotely with the limitation of not allowing any user interaction - the process will run in the background without showing any interface on user's session, which is a perfect feature for running silent installs or non-interactive processes, for example, delprof /q/i

Below is the code snippet which does the job.

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
intReturn = objWMIService.Create("delprof /q/i", Null, Null, intProcessID)

This script also uses Popup function of WScript.Shell instance to display message box which disappears after specified seconds - great for showing quick status messages without waiting for any user interaction.

Here is the complete script which executes delprof command on the target server and shows before and after free space information at the end, on the client side.

Assumptions:

• Delprof executable should already be installed on the target server.
• Because the script also checks before and after free space on C: drive, it assumes that \Documents and Settings folder is located on server's C: drive.

Reference: http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec06/hey1208.mspx

NOTE: For some weird reason, delprof command is case sensitive. Therefore, DELPROF /q/i does not recognize the "quiet" and "ignore" switches and still prompts: Delete inactive profiles on \\SERVERNAME? (Yes/No)

VBScript: Unload Non-Active User Hives From Registry

In Windows 2000 Terminal Server/Citrix environments, it often happens that after users have logged off, their user registry hive doesn't unload automatically from HKEY_USERS\, which in turn keeps consuming registry space and causes it to go out of sufficient free space. The workaround is to launch REGEDT32.EXE (on W2K) or REGEDIT (on W2K3) and manually unload user hives from HKU, but again you'll need to manually figure out who all are active users and exclude those from unloading. This manual process requires converting each of the logged-in user IDs into their respective SIDs and searching them in HKU to exclude.

This script addresses these issues and automates the process of unloading only non-active user hives from HKEY_USERS. This script first converts each of the loaded user SIDs into user names, then attempts to unload all but the active ones by matching those user names with the output from 'query user' command. Below are more details:

Expected Input: Target computer name. By default it’ll show local computer name where it is executed from, which can be changed to any target system. This script can be run from the local desktop session, no need to login into remote system.

Definite Output: The output file will open automatically in notepad after script execution, and will be stored in C:\TEMP\UnloadHive-SERVERNAME.log on the system where it is run. The output file shows a quick summary of how many hives unloaded successfully and registry space gained. This script also keeps updating a single log file (CSV) with summary result of each execution - in case any data analysis or trend analysis is required to do in future.

Dependency: Requires psgetsid.exe to be present in the same directory where script is. It is recommended to copy psgetsid.exe in the executable path on the local machine (e.g., C:\Windows\).

Download the script here.

Importing Yahoo! mails to Gmail

Since I don't have anything new to post, I'll just bookmart some useful information I came across. If you (me) ever think about migrating to Gmail from Yahoo! http://sandeep.wordpress.com/2006/11/27/moving-to-gmail

Citrix Scripting with WMI

A great tip to use WMI for scripting Citrix (if MFCOM sounds scary :-) ) http://www.frameworkx.com/frameworkx/contentblogdetail.aspx?blog=56&id=438

Stay Secure!

This is definitely not good. During last one week two of my friends lost their yahoo accounts, possibly got hacked. Amit was on SANS security training in Singapore, with 65 other potential hackers security professionals. After the last day in his training when he came back home he realized that his Yahoo! Account password wasn’t working anymore. My other colleague, Sudhakar, accessed his yahoo mail on his roommate’s laptop and next thing he knew the following day was, his yahoo password wasn’t working anymore.

I can’t stress enough how risky it is to access your email/e-banks/e-commerce transactions over public networks or on some others’ machine. It is not a matter of having complete trust on someone you know well enough, even if that person happens to be your family member/close friend/colleague, because you can never be sure if his own machine is secure enough. You cannot rule out the possibility that his machine might already be hacked, and all it takes is just one attempt for you to enter your secret credentials on that hacked machine (or if he hasn’t intentionally been running malicious programs).

An end-user never bothers to secure his own machine apart from following regular recommendations – things like, keep the anti-virus definitions updated, install anti-spywares like Spybot & Windows Defender and keep the definitions updated, regularly scan your system with anti-virus/anti-spywares, blah-blah. But the important aspect we don’t usually realize is that there are other channels to hack into system and keep it infected in a manner that regular anti-virus/anti-spywares cannot detect. The biggest limitation with these scanning tools is that these are all definition based and not behavioral/pattern based. What this means is that unless the loophole/vulnerability/threat becomes visible in public domain and a patch/definition is released, these scanning tools will not be able to detect them. For example, anyone with a decent programming knowledge can develop a quick key-logger/virus/Trojan and release it within limited scope, may be within among his contact circle. Behavioral based scanning tool, on the other hand, keep monitoring the system at lower layers (of OS architecture) and are better able to detect system modifications that key-logger tries to make to activate itself.

The other aspect most people ignore is that they do not change the default system configuration. For example, after a typical Windows installation, quite a few system services get active which might not really be required for user, but which can act as potential security holes. Network services like ‘client for Microsoft networks’ and ‘file and print sharing’ are always active on all the network interfaces – physical network interface as well as wireless interface. Unless a good firewall is installed on the system, it is not very difficult to hack into the system using just these two services and activate some Trojan/key logger on that system. Rootkit is another new category of tools which are even harder to detect with traditional scanning tools.

Here are some quick recommendations. This is not an exhaustive and polished list, but just few quick ones on the top of my head. Of course, it goes without saying that if you use same laptop at both office and home, you should check with your system administrator before making these modifications. 

• Always ensure that your system is completely patched with up to date hot-fixes. You can use Microsoft’s Baseline Security Analyzer to do the gap analysis and install all the required patches.
• Never trust any system other that your own (secure) system for entering your credentials (email/banking/credit card/etc). Remember, all it takes is just one attempt, even if that system belongs to your closest friend/family member/colleague. I personally confess of having captured password details of my friends, though I have never (mis)used those details!
• Disable Remote Registry service. An example where this can be exploited is, lot of instant messengers store user passwords in encrypted form inside registry. All it takes is extracting the relevant registry keys remotely and attacking it offline. Again, anyone who knows me, when I say to them that they haven’t changed their passwords for a long time, I really mean it (sometimes)! J
• Even when using your own system over public wireless network, do not enter confidential details. The risk with these public hotspots is that you can never know that the person sitting next to you can possibly be running some network capturing tool to sniff your data packets to crack it offline later. There are tools available which can capture your network interface’s MAC address and inject those same MAC address in their own machine’s network packets to trick the wireless switch to send the returning packets to their system. If you really have to use public wireless hotspots for entering confidential details, do that only over VPN connection.
• Disable ‘Client for Microsoft Networks’ & ‘File and Print Sharing’ on wireless network interface unless you use open wireless access in your office/home for logon authentication and/or sharing files/print attached to your own system. At home if you connect your DSL directly to your system, you should either install a good firewall or disable these two services on the interface where DSL connects (physical LAN port or wireless), because when DSL is directly connected to your system, it is your system which gets the public IP address and gets exposed to Internet. Do yourself a big favor and get a switched-router instead of connecting your system directly to public interface.
• Avoid installing any third-party softwares without first testing it on some dummy machine. Use VMWare Workstation (paid) or Virtual PC (free) for testing softwares in isolated environments.
• Regularly run Autoruns and Process Explorer on your system to monitor what all processes are configured to autostart and currently running. If all the entires in these tools scare you first, start getting yourself familiar with it. 

Here are some quick directions on what you should have on your system: 

• Rootkit detection:
  http://www.sysinternals.com/Utilities/RootkitRevealer.html 
  http://sophos.com/products/free-tools/sophos-anti-rootkit.html
• Firewall: Choose from the review - http://www.firewallguide.com/software.htm
• Anti-Spyware: Choose from the review - http://www.firewallguide.com/spyware.htm
• Anti-Virus: Choose from the review- http://www.firewallguide.com/anti-virus.htm
• Autoruns - http://www.sysinternals.com/Utilities/Autoruns.html and
  Process Explorer - http://www.sysinternals.com/Utilities/ProcessExplorer.html.
  To know more about these two tools, read my other posting http://sogeeky.blogspot.com/2006/06/few-must-know-tools-for-basic-system.html

Don't believe me? Read this: http://travel2.nytimes.com/2006/08/22/technology/22secure.html?adxnnl=1&adxnnlx=1156943011-4xWhSB0vFUdnCdz81cssqQ

How To Capture Network Traffic on Local Computer

A great tip from Joe about sniffing network traffic on local computer - http://blog.joeware.net/2006/08/21/539/

How & Why You Should Backup Registry Files

If you ever come across Windows boot error when it fails to load one or more (corrupted) registry hives, you can follow the steps explained in MS KB307545 to recover from corrupted registry. Having said that, lets understand few non-obvious facts.

When Windows is installed, it creates a backup of all the registry files in \%SYSTEMROOT%\repair\, whereas all the active registry files that Windows uses during run time are stored in \%SYSTEMROOT%\System32\Config. If any of the registry files inside \Config folder is corrupted, you can use Recovery Console to recover registry files from \repair folder to \config folder. There is however one significant consequence - the system will lose all the softare installation settings and system configuration done since Windows installation because registry files inside \repair folder are never updated after Windows installation, so after recovering those files the system essentially goes back to the same state when it was first installed (KB307545: "...This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost...").

To avoid this consequence, you can periodically update \repair folder using NTBACKUP tool. NTBACKUP doesn't have any specific option to update registry files, but all you need to do is take a System State backup, which will create a flat .BKF file, but will also update the \repair folder with copies of all registry files from \config folder. You can later delete that .BKF files because all we want to accomplish here is to update \repair folder with the most recent copy of registry files. It is also very easy to automate this entire process by creating a scheduled backup job which runs once a week (or depending on how frequently you change system settings or install/uninstall softwares) and overwrites the same BKF file. Here is a related article which addresses similar requirement - http://www.windowsitpro.com/Article/ArticleID/24657/24657.html

Spywares Will Be Spywares

As soon as I heard about free DJ softwares – KraMixer & MixSense – both from Kramware, I immediately went ahead and started the installation, only to realize that both come bundled with Save software L

Few years ago, Save software used to be a very ‘popular’ spyware – just as prominent as GAIN and few others were. I had not heard about Save afterwards until I came across these two freewares from Kramware. Nevertheless, still to give it a shot and see if anything has changed in its ‘spyware’ behavior, I went ahead and installed KraMixer along with it’s Save and search bar components. Yes it was not only Save, but also a search bar that came bundled with it (though its installation was optional). Another reason why I still installed it was that it mentioned Save is NOT a spyware! Now this was interesting. I did hear a while ago that GAIN had made efforts to come out of spywares category, but had never heard about Save making similar efforts – only if it had been technically true. Anyway, after the installation I fired up couple of monitoring tools (ethereal, filemon, autoruns, procexp, ollydbg) to see what these no-more-spyware softwares are up to.

Just to pause here to give a quick context – by the basic definition of spyware, it is a piece of software that monitors users’ browsing habits and sends that information to software owners. It is a broad category of software – ranging from monitoring just the websites users visits, to as severe as intercepting users’ personal information (e.g., emails, passwords, etc.). This information is then used by those vendors to send spam mails and targeted advertisements. That is how they make money.

Ok, coming back. As it was obvious, when I ran Spybot S & D and Windows Defender, both caught Save.exe and its search bar as potential spywares. Now, those same softwares, just to avoid being called as spyware, apparently have changed their modes of operations. Instead of sending users’ browsing habits back to their software owners, they now do the analysis locally on users’ machine about which advertisements to show. As an example, I installed kramware’s software on a fresh virtual machine and visited sites of Spybot S&D and Windows Defender . Because both are anti-spywares, after few minutes IE started showing pop-up related to all the anti-spyware softwares. What goes in the background is, as revealed by Ethereal dump, Save.exe downloads a small database from its website and saves it inside C:\Program Files\Save\Save.db. Save.exe also builds another database store.db in the same folder apparently to keep track of all the websites user visits. Save.exe and search bar components build user’s browsing habit by regularly monitoring IE’s index.dat to peek into all websites user visits (I’ll probably write more about these index.dat files in my future posts – it is worth a complete post for itself).

Still, one good thing about these Save softwares is that whatever they intend to do, they do with user’s consent as they have mentioned in their privacy policy. But the realization, that something running on my machine is constantly monitoring my browsing habits, still bothers me.

Kramware: find some place else, not my system; I would rather pay for a commercial software.

Installing Visual Studio 6 on XP SP2

If you try to install Visual Studio 6.0 on Windows XP SP2 system, the setup prompts to update MS JVM and restarts. Sometimes even after the restart it prompts to install MS JVM again, and gets into this infinite loop.

A workaround is to copy the CD contents to a folder, open SETUPWIZ.INI, and delete the line VmPath=ie4\msjavx86.exe . Setup will not prompt for MS JVM install anymore.

If Setup.exe crashes on XP SP2 system, set the compatibility mode on SETUP.EXE to 'Windows NT 4.0' or 'Windows 2000'.

VBScript: Using Disconnected Recordset for Sorting Data

Assuming you need to create a script to list all the subfolders and their sizes within a particular folder, and sort them to see which folders occupy maximum space (e.g., all the user profiles within \Documents and Settings). A traditional approach, at least to somone new to VB Scripting, would be to dump the output in CSV format in a file and open the file in Excel to sort the list. Thats what I used to do so far!

A better approach would be to use something called Disconnected Recordset. Recordsets are usually associated with Databases and connection objects. Disconnected Recordset is similar but not associated with any back-end databases. It remains in memory only within the scope of code execution. Although limited in featues, disconnected recordsets still offer basic functionalities like Sorting. So, with disconnected recordsets, for the above script, we can create on-the-fly recordset, sort the folder names based on their sizes within the code itself and write the sorted list in any text file format (CSV, HTML). Here is how we go about doing it:

Const adBSTR = 8
Const adDouble = 5
Const MaxCharacters = 255
Set DataList = CreateObject("ADOR.Recordset")
DataList.Fields.Append "UserName", adBSTR , MaxCharacters
DataList.Fields.Append "ProfileSize", adDouble
DataList.Open

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder("C:\Documents And Settings\")
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder In colSubfolders
    DataList.AddNew
    DataList("UserName").Value = CStr(objSubfolder.Name)
    DataList("ProfileSize").Value = objSubfolder.Size
    DataList.Update
Next

DataList.Sort = "ProfileSize DESC" ' Use DESC/ASC to specify sort order.
DataList.MoveFirst

Do Until DataList.EOF
    WScript.Echo DataList.Fields.Item("UserName") _
        & vbTab & DataList.Fields.Item("ProfileSize")
    DataList.MoveNext
Loop

There are few things you need to take care of when using disconnected recordsets. While defining the fields ("UserName","ProfileSize") make sure you specify the right kind of data type for the field that matches the kind of data it needs to store. In this case, folder size could be as large as couple of GBs, therefore Integer would not be the right datatype for "ProfileSize" field. The complete list of all possible data types is available here. You might also have to use data conversion functions while storing values to these fields as I had to use CStr() for getting folder name. If you are not sure what datatype the retrieved value will have, you can use VarType() function to find that out, which will give a numeric value corresponding to its datatype. Here is the complete table.

VBScript: Add Leading Zero to Date Function Output

When you generate reports/files using VBScript periodically, it is always a good idea to suffix the file name with date/time components - e.g., "REPORT_20060811" - as it makes files easier to locate because they would already be sorted.

Using functions Year( Date ), Month( Date ), Day( Date ), subcomponents can be extracted to create filename suffix. You can also use DatePart( datetype,date ) function to extract the same components. But the problem with using any of these functions as they are, is that you would not get proper sorting orders because these will output single digits for numbers less than 10. For example, the following two lines of code will generate date components which will not have proper sorting order

strDate = Year(Date) & Month(Date) & Day(Date)
OR
strDate = DatePart("yyyy",Date) _
        & DatePart("m",Date) _
        & DatePart("d",Date)

To generate the string which will have the right sorting order, you need to append leading zeros to entries less than 10. That is what the following line of code does. It appends leading zero to all the entities, extracts 2 characters from right, and builds the string.

strDate = DatePart("yyyy",Date) _
        & Right("0" & DatePart("m",Date), 2) _
        & Right("0" & DatePart("d",Date), 2)

VBScript: Does WMI Support Querying Local Security Policy?

For doing a regular health check of our servers, I created a VBScript which queries all the relevant information (free disk space, registry size, security log size, etc.) and dumps that into a HTML file. One particular information I wanted to query remotely was one of target machine's Local Security Policies - "Log on as a service" (under User Rights Assignments).

Apparently, WMI does not have any support to enumerate Local Security Policy, probably because of security reasons. While looking for some third-party tool, I came across DumpSec, which does show remote machine's User Rights Assignments and other Local Security Policies. The problem though with this tool is, it is primarily GUI based and does not show all the rights. Even though it supports command-line parameters (C:\>DUMPSEC /rpt=RIGHTS /saveas=CSV /outfile=report.txt), it still requires output file name to dump the result instead of showing directly on the console. You are then supposed to parse that output file (may be by using FIND) to retrieve the particular piece of information. For example, executing C:\>FIND "SeServiceLogonRight" report.txt would reveal something like this:

SeServiceLogonRight,MACHINENAME\ASPNET,Log on as a service
SeServiceLogonRight,NT AUTHORITY\NETWORK SERVICE,Log on as a service

This obviously doesn't seem very efficient from scripting perspective. It would have been lot easier to get those details via Windows' scripting engine or WMI. On the positive side though, these limitations are motivating me to write my own program to query Local Security Policy (LSP) entries. Gotta revisit Charles Petzold's masterpiece on WIN32 APIs! J

Event Log Explorer

Have you ever wanted more options and features in Windows' Event Viewer?!?! Well, Event Log Explorer seems like a pretty good alternative to Event Viewer.

Here is the feature list, directly from the source:

• Multi-document user interface (MDI) to view several event logs at one time
• Favorites computers and their logs are grouped into a tree
• Viewing event logs and event logs files
• Archiving event logs
• Event descirptions are in the log window
• Event list can be sorted by any column and in any direction
• Advanced filtering by any criteria including event description text
• Quick Filter feature allows you to filter event log in a couple of mouse clicks
• Fast search by any criteria Sending event logs to printer
• Export log to different formats

More details here - http://www.eventlogxp.com/.

See my previous post for reference on eventquery.vbs - a quick way to run a filter query on event repositry.

How To Recover Local Administrator Password

This post was drafted few months ago.

There are plenty of tools available on the net - commercial as well as free, which can be used for resetting/recovering the local administrator password, but this time when I ran into the issue, none that we used to have, worked. A user's machine running Windows 2003 Standard Edition was out of domain, and later we realized that the local administrator's password was already changed from the default one. Obviously user wasn't able to recall that password. Since the machine was also running the development environment, user requested not to reformat/reimage.

For these kind of scenarios, we almost always used Offline NT Password and Registry Editor http://home.eunet.no/~pnordahl/ntpasswd/, but for some reason, this utility failed to reset the password on this machine. I would assume, it failed because of the Windows OS architectural changes incorporated in XP SP2/W2K SP1.

While looking for an alternative I came across www.loginrecovery.com which offers a free bootable downloadable CD image of about 1.5 MB. Once booted, this utility shows all the local user accounts and their corresponding password hashes. According to the website, you are supposed to note down these hashes are they are displayed on the screen, in a text file and upload that file on their website. They take 2-3 days to revert with the password for free, and charge few dollars for immediate delivery.

Not willing to pay or wait for 2-3 days, I went ahead and started searching for free programs which can crack given MD5/LM/NTLM hashes, and came across MDCrack http://c3rb3r.openwall.net/mdcrack/. At first this utility crashed when I tried running on my XP with SP2 system. I had to set compatibility mode of this program to Windows 2000 to be able to run it successfully. Using the password hashes noted above in this program, chose appropriate algorithm (Algorithm - MD5/MD4/NTLM1), and let the program run brute force algorithm to decode the password.

References:
Ophcrack - http://sourceforge.net/projects/ophcrack/
John the ripper - http://www.openwall.com/john/

How to audit and track file deletions

• Enable Audit Policy: On the machine where you want to track file deletion, go to Administrative Tools->Local Security Policy->Audit Policy , double click "Audit Object Access" on the right pane and switch-on "Success" & "Failure".
• Enable auditing for user/group: You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion.
  • Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab.
  • Click on Advanced , and select Auditing Tab.
  • Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE .
  • On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties.
• These configurations will generate file/folder access audit logs for the configured folder in Securit Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .
• Any file deletion operation will generate two events with event ID 560. After you've realized that your target file has been deleted, you'll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer->Security, select Filter...).
• If you quickly want to find out if your configured machine generated any file deletion event log, run the following command on your own (networked) machine. This will work only on XP and above, therefore, you can use this to query for security logs from Windows 2000 machines. Run cscript //h:cscript //s //nologo at least once on your system before executing the following command.

eventquery.vbs /S <Target_System_Name> /FI "ID eq 560" /L Security /V
/FI : Filter
/L : Log name {Application | Security | System}
/V : Verbose output

To know more about the above command, read here.

• A typical security log with file deletion details will look something like this:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: GKY\Raj
Computer: GKY
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Test\testdoc.txt
Handle ID: 1756
Operation ID: {0,3190200}
Process ID: 4040
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Raj
Primary Domain: GKY
Primary Logon ID: (0x0,0x40C41)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes

NOTE:

• Ensure that security log is set not to overwrite itself, and has sufficient size to hold logs spanning many days. You can configure these settings by right-clicking on Security subfolder inside Event Viewer.
• You might want to test these settings by deleting few files yourself before assuming it'll deliver what you expect!

Update:Just found a better alternative to built-in Event Viewer - http://www.eventlogxp.com/

Customize IE Context-menu for RSS Bandit

I use RSS Bandit as my preferred RSS Reader. This application is based on .NET framework and has GUI very similar to Outlook 2003 (even some of the Outlook keyboard shortcuts work in this). It also has a built-in tabbed web browser, based on IE engine. This works well until multiple tabs are opened filling up entire space within RSS Bandit browser window. One of the desirable features that RSS Bandit is missing, is an option to open hyperlinks in a default web browser (IE/Firefox). It would have been nice to have a right-click context menu with an option like "Open in Default Browser" or Open in Internet Explorer".

However, this customization is very quick and easy to make, and requires only few registry entries and two lines of JavaScript code!

So, here goes step by step instructions to manually modify IE's context menu for "Open in Internet Explorer" option:

• Create a .REG file with the following contents. Or download this REG from here. Double-click on this REG file to merge the registry entries.

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open in Internet Explorer] @="C:\\Program Files\\RssBandit\\OpenInIE.htm" "Contexts"=dword:00000022

• Create a plain text file with the following contents, and save the file as OpenInIE.htm . Or right-click here to save the file in "C:\Program Files\RssBandit" (select Save Target As... instead of directly clicking on the link). This html file can be saved at any other location but ensure that you update the above REG file with the new location (for example - C:\Documents and Settings\Application Data\RssBandit\ where other user specific configurations are stored for RSS Bandit).

<script> var shell = new ActiveXObject("WScript.Shell"); shell.run("iexplore \"" + external.menuArguments.event.srcElement + "\""); </script>

I also use Firefox occasionally and therefore created similar files for a context menu to open links in Firefox instead of Internet Explorer. Download the REG and HTML files for creating "Open in Firefox" entry in context menu.

Theoretically, it should be possible to have a generic option like "Open in Default Browser" using the code javascript:external.menuArguments.window.open(external.menuArguments.event.srcElement), which should initiate the default browser configured on the system, but apparently it is the limitation in RSS Bandit which opens a new tab instead of opening default browser if the above code is used.

References: The Old New Thing

Free VBSEditor

If you frequently develop VB scripts and use Notepad for editing, then you can use this decent free VBSEditor which also offers syntex highlighting. This is a single EXE file and doesn't require any installation.

Following steps will add an entry into context menu for VBS files to edit those files in VBSEditor.

• Create a folder called "VBSEditor" in "C:\Program Files\" and drop VBSEditor.exe in "C:\Program Files\VBSEditor\"
• Copy-paste the following text in a plain-text file and save the file as vbseditor.reg.

Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\VBSFile] @="VBScript Script File" "EditFlags"=dword:00000000 "BrowserFlags"=dword:00000008 [HKEY_CLASSES_ROOT\VBSFile\Shell] @="" [HKEY_CLASSES_ROOT\VBSFile\Shell\Edit_with_&VBSEditor] @="Edit with &VBSEditor" [HKEY_CLASSES_ROOT\VBSFile\Shell\Edit_with_&VBSEditor\command] @="\"C:\\Program Files\\VBSEditor\\VBSEditor.exe\" \"%1\""

• Double-click on the saved vbseditor.reg to import required registry settings.

Now you can right-click on any VBS file and select "Edit with VBSEditor" for script editing.

Few must-know tools for basic system administration

Sysinternals offers some of the best free tools for basic as well as advanced system administration tasks. Among all, few must haves are:

• TcpView - For monitoring network connections in real-time. GUI extention of netstat command.
• Process Explorer - Shows detailed information of each of the processes running on the sytem. The best alternative to Task Manager.
• AutoRuns - Shows detailed information of all the programs configured to run with system start. Much better than msconfig.

FPORT - This console based program from Foundstone shows all the open/active network connection details along with complete path of the executable. Another alternative to netstat command.

TIP: It is best to download and just drop all these tools in %SYSTEMROOT% folder so that you can execute them directly from Start-->Run or from console without specifying their path.

Few other useful built-in commands in Windows XP/2003:

• GETMAC - Retrives MAC address of all the network interfaces from local or remote systems. NBTSTAT can also be used to retrive MAC address.
  GETMAC retrives MAC address from machine's WMI repository, whereas NBTSTAT relies on WINS database (which could be outdated). The advantage with NBTSTAT is that it can get you the MAC address of remote machine even if the target machine is not online, whereas, for GETMAC to work, the system should be online and accessible.
  User GETMAC /V option for verbose output to see the NIC name along with their MAC addresses. Without /v, it shows only the GUID identifier and not the actual NIC name.
• HOSTNAME - To quicky find out local machine's NetBIOS name.
• TASKLIST - To quickly list all the running processes on local or remote system. Run TASKLIST /V to see details similar to what Task Manager shows. While Task Manager is limited to provide only local machine's information, TASKLIST /V can get you the same information from remote systems even if that remote machine is running Windows 2000 where TASKLIST doesn't run locally.
  Run TASKLIST /SVC to enumerate all the child processes spawned by host processes like SVCHOST.EXE and SERVICES.EXE, Task Manager does not display these details.
  For example, if you find that SVCHOST.EXE is consuming maximum resources, the culprit process is usually one of the child processes running under svchost.exe, and not the svchost.exe itself. Thats when you can run TASKLIST /SVC to enumerate all the child processes running under svchost.exe.
• TASKKILL - A very handy command for terminating processes running on local or remote systems, based on either process ID or image name. In my future post I'll explain how taskkill can be combined with tasklist to troubleshoot hanged service on local or remote systems.
• SYSTEMINFO - Quickly retrives basic system information from local or remote systems. I usually use this command to get details like - system uptime (to determine last boot time), authentication server name, system hardware model, etc. You can also use MSINFO32.EXE to see similar output in graphical mode for local as well as remote systems.

How to save streaming media for offline viewing

Many a times we want to save online webcast streams (.wmv, .asx, .asf) but Windows Media Player doesn't save these streams which makes it impossible to view online webcasts in offline mode when you are not connected to Internet.

Among all the download managers that I tested, only Flashget was able to download and save streaming media contents because it supports mms:// protocol. With the latest version 1.72, it is completely free.

Download Flashget here: http://www.flashget.com/

Take control of your career

Came across this great post (http://software.ericsink.com/Career_Calculus.html) by Eric Sink about how you can take control of your career.

It is our own responsibility to shape up our career, but sometimes we tend to focus on aspects which do not play any role in moving up in career scale.

His post also links to two additional posts, but those are 3 years old and are not available anymore. However, cached versions of those posts are still available at www.archive.org

Doug Reilly – Who is responsible for your career

Robert Hurlbut - I am responsible for my career

Sam Gentile - I alone am responsible for my technical growth

Eric Sink, who earned his B.S from University of Illinois, Urbana-Champaign (UIUC), is among the ones who had initially developed what is now known as Internet Explorer. On his about page, find an interesting flashback to mid-90’s when browser war had just started.

Personally, I find it very interesting to discover more and more people who are academically associated with UIUC. Ray Ozzie, who recently took over Bill Gates position as Chief Software Architect, has been honored as a distinguished alumnus of the University of Illinois at Urbana-Champaign.

Speed up Internet Explorer

By default Internet Explorer does not allow more than 4 or 2 simultaneous sessions (HTTP 1.0/1.1) from the same source. You can, however, override this setting by adding few registry keys.

Execute the following two commands to add the required values.

• REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v MaxConnectionsPer1_0Server /t REG_DWORD /d 20

• REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v MaxConnectionsPerServer /t REG_DWORD /d 20

More information, including reason for the default limit, is available at http://www.winguides.com/registry/display.php/536

Mirror page of: Jeroen van de Kamp on Using Flex Profiles

The following page/link (BriForum 2005 Video: Jeroen van de Kamp on Using Flex Profiles) is no longer available on Brian Madden's site and shows error. Becasue this link is extremely useful, I am just mirroring the contents that I got from Google's cache version of the same page.

---

BriForum 2005 Video: Jeroen van de Kamp on Using Flex Profiles

Author Information
Jeroen van de Kamp

November 28, 2005

Since their debut two years ago, the concept of the "flex" profile has taken the server-based computing world by storm since they have the advantages of roaming profiles without the headaches. We owe this success to the original visionary of the flex profile: Jeroen van de Kamp, the creator of the free Flex Profile Kit.

In this double-session (two hours), Jereon himself presents "Flex Profiles in practice." This session covers practical and in-depth implementation scenarios and best-practices for Flex Profiles.

We'll start with why and when to consider Flex Profiles and then move into the technology basics, profile folder content redirection, mandatory profile configuration, optimizing performance, implementation strategies, migration tactics and scenarios, and how to get around known limitations (FlexRefresh.exe). We'll close the session with live scripting and implementation examples.

Here's his session from BriForum 2005.

Download the video of this session, WMV format (Part 1 - 64MB, Part 2 - 57MB)

Download the audio from this session, MP3 format (Part 1 - 14MB, Part 2 - 12MB)

Download the PowerPoint slides from this session (2MB)

Online HTML Editors

While composing my last two postings, I realised the limitation of the default text editor of Blogger/Blogspot. Even though it offers direct HTML editing, it still lacks WYSIWYG based features. Googling for "online HTML editor" reveled two useful free online HTML editors -

• Basic HTML editor: http://www.lissaexplains.com/htmlarea/htmleditor.shtml
  • Offers basic WYSIWYG functionalities.

• Advanced HTML editor: http://fslactivities.sd61.bc.ca/ezHTMLarea/index3.html
  • Offers advanced features like in-built Java based FTP client.
  • Different font styles and formatting, like superscripting/subscripting.
  • Multiple levels of undo/redo.

Using any of the above editors, all I had to do was copy-paste the generated HTML code in the blogger post HTML-editing window. Now I need to find a similar online editor which can directly send my postings to my Blogger/Blogspot account - a feature that is available in Word 2007 (currently in beta).

Citrix Tips: Convert object name to SID and vice versa

Very often users' cached profile become corrupt on Citrix server(s) and needs to be deleted, but that profile's registry hive remains loaded into memory even after the user has logged off. This prevents the deletion of that user's profile until the server is restarted. There is, however, a workaround to manually unload that user's registry hive. In REGEDIT.EXE or REGEDT32.EXE, all the active logged on users have their registry hive loaded into memory under HKEY_USERS represented by their user's SIDs (not the actual user names). If there are hundred of users logged-in on a server, and one particular registry hive needs to be unloaded which belongs to that user's profile, the best way is to find that user's SID and search that SID under HKEY_USERS and unload that hive.

PsGetSid from sysinternals can be used for converting user name into SID.

Convert Name to SID: http://www.sysinternals.com/Utilities/PsGetSid.html
Example: C:\> psgetsid <user_id>

Conversly, SidToName from Joeware Tools can be used for coverting SID into User ID.

Convert SID to Name: http://www.joeware.net/win/free/tools/sidtoname.htm
Example: C:\> sidtoname <S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxxxx>

UPDATED: >PsGetSid can convert SID to name as well, so you just need PsGetSID to covert name to SID and vice-versa.

The technology behind Microsoft's IntelliMirror and Exchange 2003 Server Cache Mode

Do you know from where Microsoft picked up technologies behind IntelliMirror and Exchange cache mode?

These are based on the research work (CODA File System) done by Mahadev Satyanarayanan from Carnegie Mellon University.

Whats more facinating to note that is, he is also the co-founder for Internet Suspend/Resume approach, which is a potentially revolutionary idea. This is already being tested in Intel Research Pittsburgh.

Maximize IE window permanently

With the default configuration of IE/Windows OS, any new IE window that opens up, does not open in maximized size. Even if you maximize those new windows manually, they still go back to their own size the next time you open them. To fix this, following is the solution I found while searching on the net:

• Close all instances of Internet Explorer except one. Open a new window, and close the original. Type (case sensitive) the following into the address bar (where XXX,XXX is your screen resolution), and press ENTER -> javascript:moveTo(0,0);resizeTo(xxx,xxx)
• When the new window re-sizes, hold the CTRL key and close the window. New windows should now open at full size, with everything visible.

This is another of those documentations that I need to keep :-)

WIN51IS.SP1

Recently, one of my colleagues ran into this issue when he was trying to install IIS components on Windows Server 2003. Since, I was aware of this issue, I thought of posting it for my own documentation. Whenever Service Pack is slipstreamed into the original installation source (i386), an additional file WIN51IS.SP1 is automatically created in the same directory where i386 folder resides. This file - WIN51IS.SP1 is essentially a service pack identifier file and its exact name depends on the OS version and the service pack slipstreamed into it. Few examples: WIN51IA.SP1 for Windows 2003 Advanced/Enterprise Server WIN51IS.SP1 for Windows 2003 Standard Server WIN51IB.SP1 for Windows 2003 Web Server The availability of this file is necessary for a successful installation if the source \i386 folder has service pack integrated into it. So, next time when you stage i386 folder on the hard disk, ensure that you also copy-paste WIN51IS.SP1 file in the same folder where i386 resides (not inside i386) to avoid any installation issues.

Enterprise Security

One of my friends - Arvind got inspired and jumped into the blogging world. He recently got promoted as Information Security Lead on his project in one the major IT Consultancy firms.

Nice to have him share his thoughts on the stuffs that he works on - Active Directory, Group Policy, Information Security, Change Management, et al.

NETSH / How to reinstall TCP/IP in XP/2003

Admins who manage HP/Compaq Proliant servers would probably agree with me that remotely administering these server using RIB/iLO is a real pain. Few weeks ago, I had to re-do network teaming on one of the remote servers located in different geography using the RIB interface. It was a real pain trying to keep mouse cursor in sync to be able to go through many clicks to make network configuration and re-assign IP/gateway/DNS/WINS addresses. That was when I realized the true potential of NETSH command-line interface and the scripting capabilities it offers on Windows platform.

For the same scenario, I could’ve exported the network configuration using c:\>netsh -c interface dump > c:\netsetting.txt and after re-doing the teaming could’ve imported the same setting from the text file using C:\>netsh -f c:\netsetting.txt

Though we need to be careful not to change the name of any of the network interfaces – HP Network Team #1 should not become HP Network Team #2 after redoing the teaming.

Netsh comes handy not only for exporting/importing network configurations, but it is also capable of making different network settings like assigning IP/mask/gateway/DNS/WINS. Netsh command is also used for resetting TCP/IP stack in Windows XP and 2003 platforms. Unlike Window 2000, TCP/IP is a core component of Windows XP/2003 and cannot be uninstalled/reinstalled; it can only be reset to the state when the operating system was installed, which the following command does

c:\>netsh int ip reset resetlog.txt

Find more details at:
http://www.petri.co.il/configure_tcp_ip_from_cmd.htm
http://support.microsoft.com/kb/317518/

It had to happen sooner or later

The Blogger plug-in for MS Word work is a great opportunity for me start putting up my thoughts/comments/stories centered mostly around techi/geeky/random stuff... stay tuned.